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<POLIC Y_DOCUMENT title="AS400 Policy For VSM" createDate="2000-05-18" 
updateDate="2000-08-25" author="Dave Lineman" docType="Policy Document Library" 
docState="System"> ^2£>So-~ 

<POLICY_CATEGORY title="Password Management" orderValue="0"> 

<POLIC Y STATEMENT identifier="CW_PD_MINLEN" rnmie= "Minimum 
Password Length" categoryOrder=="0" printFormat="0" 
agentIdentifier="VSM"> 
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<POLICY_STATEMENT_TEXT>The length of passwords must 
always be checked automatically at the time that users construct 
or select them* All passwords must have at least eight (8) 
characters.</POLICY_STATEMENT_TEXT> 

<POLIC Y_STATEMENT_COMMENTARY>In many systems, fixed 
passwords are the first and only line of defense. Although it's a 
long-established hacker technique, guessing fixed passwords 
remains a popular and often successful attack method by which 
unauthorized persons gain system access. In the past hackers used 
manual methods, but these days password guessing is most often 
performed with automated tools like dictionary attack programs 
(so-called 'crack* programs). For related comments, see the 
policies entitled "Anonymous User-IDs," "Limit On Consecutive 
Unsuccessful Attempts To Enter A Password," "Maximum 
Permissible Password Attempts For Dial-Up Users," "Disclosure 
Of Information In System Log-in Banner," and "Requirement 
For Different Passwords On Different 
Systems."</POLICY_STATEMENT_COMMENTARY> 

<POLIC Y_STATEMENT_EXAMPLE> After a certain number of 
days, the accounting system will require you to choose a new 
password. In order to maximize security, you will be required to 
use at least 8 characters. It is best not to use dictionary names or 
other easily-guessed words. /POLIC Y_STATEMENT_EXAMPLE> 

' <POLICY_STATEMENT_RELATIONSHIP 

policyStatementIdentifier= rt CW_PD_USRIDANN/> 
<POLICY_STATEMENT_RELATIONSHIP 

policyStatementIdentifier- ?, CW„PD_ATTEMPTLOGIN"/> 
<POLICY_STATEMENT RELATIONSHIP 

policyStatementldentffi^^ 
<POLICY_STATEMENT_RELATIONSHIP 

policyStatementIdentifier= M CW_PD_USRIDANON M /> 
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<POLICY_ATTRIBUTE name="Audience"> 

<POLICY_ATTRIBUTE_VALUE name= M Technicar /> 
</POLICY_ATTRIBUTE> 
<POLICY_ATTRIBUTEname="Environment"> 
<POLICY_ATTRIBUTE_VALUE name="Low Security" /> 
<POLICY_ATTRIBUTE_VALUE name="Medium Security" /> 
<POLICY_ATTRIBUTE_VALUE name="High Security" /> 
</POLICY_ATTRIBUTE> 

<POLICY_PARAMETER name="PSWRDMINLEN" type=" characters" 
value="8" l> 



<PLATFORM_ACTION platformType="AS400" title=" Audit 
JVlinimum Length of Passwords'^ 
Nl <PLATFORM ACTION TYPE>audit auto</PLATFORM ACT 
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J ION_TYPE> 

" <PLATFORM_ACTION_DESCRIPTION>For AS400 this audit 
specifies the minimum number of characters in a password. 
The risk is that passwords that are common names/words 
are too short and/or have simple patterns are much easier to 
guess and are therefore weak. If QPWDMINLEN is set to 4 
or less, there is a greater chance that someone will guess the 
password or watch a password being entered. The remedy is 
that QPWDMINLEN should be set to 5 or 
greater.</PLATFORM_ACTION_DESCRIPTION> 
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<ACTION_PARAMETER name="GTSCMNPWDL" 

dataType="characters" classification- 'value" orderIndex="l" 
score="10"> 

KACTION_PARAMETER_VALUE>8</ACTION_PARAMETER_ 
L YALUE> 



<ZA.CTION_PARAMETER> 
[ </PLATFORM_ACTION> 
|.</POLICY_STATEMENT> /** End if Policy Statement **/ 



L <tfOLICY_CATEGORY> /** End of Policy Category **/ 
<SUPPORTED_LANGUAGE name="English" l> ^Z/JO 



_</POLICY_DOCUMENT> /** End of Policy Document **/ 
^2051 
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Access Control Policy for VSM 



Password Construction 



User-Chosen Passwords Must Not Be Reused 

Users must not construct passwords which are identical or substantially similar to 
passwords that they had previously employed, 

f Commentary 1 



[Example] 




Cyclical Passwords Prohibited ^ 

Users are prohibited from constructing fixed passwords by combining a set of 
characters that do not change, with a set of characters that predictably change, 
In these prohibited passwords, characters which change are typically based on 
the month, a department, a project, or some other easily-guessed factor. For 
example, users must not employ passwords like "X34JAN" in January, H X34FEB" in 
February, etc. 

f Commentary! ■■ si — to 




f§ Policy Statement Example - Microsoft 



POLICY EXAMPLES 



Example #1: 

For example, if your first password was 
"daveiza", you cannot create another 
password called "davel23" until 13 
passwords have been created. 
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